[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bastion host



I'm not familiar with the book but if i'm reading this
correctly you are blocking all incoming packets except
for allowing this host to ssh back to itself. Is this
really what you want to do?
Also make sure that pflogd is running otherwise no
logging will take place.
Regards
Simon
 --- Martin Randall <[email protected]>
wrote: 
> Hello.
> 
> I was following the instructions in building
> firewalls with openbsd 
> appendix C.2 Bastion host II (some access allowed).
> 
> The reason, I just wanted to log any sweeps,
> connections internally to the 
> machine.
> 
> When I turn it on
> 
> pfctl -e -f /etc/pf.conf
> 
> It locks vereything out and there is no logging in
> /var/log/pflog0
> 
> This is the code as per the book with comments
> removed.  I changed the 
> ext_if to my nic
> 
> ext_if="fxp0"
> 
> set require-order yes
> set block-policy drop
> set optimization normal
> set loginterface none
> 
> scrub in all
> scrub out all
> 
> block in log all
> 
> pass out quick on $ext_if inet \
> from ($ext_if) to any flags S/SA keep state
> 
> pass in quick on $ext_if inet proto tcp \
> from ($ext_if) \
> to ($ext_if) port 22 \
> flags S/SA synproxy state
> 
> antispoof for $ext_if
> 
> 
> Why doesn't this work ?
> 
> What is the fix/solution ?
> 
> Regards...
>  
-----------------------------------------------------
Send instant messages to your online friends http://uk.messenger.yahoo.com